Quick Notes - NTP Update-Calendar

There are some platforms that have a hardware clock that is powered by a battery. This is in addition to the software based clock. The software clock is synchronized to an external time source via NTP. At times the hardware clock may drift if it is not periodically updated by the software clock. It is best practice to update the hardware clock periodically with the software clock.

"ntp update-calendar" updates the hardware clock

Quick Notes - Prefix-List Matching Class A,B,C

Prefix lists can be used to match a complete address class

Class A = 1.0.0.0 – 126.255.255.255
Class B = 128.0.0.0 – 191.255.255.255
Class C = 192.0.0.0 – 223.255.255.255


The classes can be defined by the starting bits in the first octet


Class A = 0
Class B = 10
Class C = 110


In order to match Class A, B, or C you need to perform the following:

Quick Notes - Administrative Distance

0     - Connected
1     - Static
5     - EIGRP Summary Route
20   - eBGP
90   - EIGRP
100 - IGRP
110 - OSPF
120 - RIP
160 - ODR
170 - EIGRP External Route
200 - iBGP
255 - Unknown

Quick Notes - BGP Dampening with route-map

ip prefix-list XY seq 5 permit 10.0.0.0/15 le 32

route-map DAMPENING permit 10
 match ip address prefix-list XY
 set dampening 15 750 2000 60

router bgp 100
 bgp dampening route-map DAMPENING
 neighbor 192.168.0.2 remote-as 200

Quick Notes - IRB - IEEE

BBBB must be able to connect to AAAA and vice versa. Layer2 must be used on hub and AAAA/BBBB must leverage layer 3 ports on the directly connected interface.

Quick Notes - Multicast Boundry

In order to ensure AutoRP and the administratively scoped multicast addresses do not leak outside or into your multicast domain you need to filter the following:

224.0.1.40 - The Cisco multicast router AUTO-RP-DISCOVERY address is the destination address for messages from the RP mapping agent to discover candidates
224.0.1.39 - The Cisco multicast router AUTO-RP-ANNOUNCE address is used by RP mapping agents to listen for candidate announcements
239.0.0.0/8 - Administratively Scoped

Quick Notes - MPLS and OSPF

You must enable MPLS but you cannot enable "mpls ip" on the interface. Current network is leveraging OSPF.

R1

interface Serial1/0
 ip address 192.168.0.1 255.255.255.0
interface Serial1/1
 ip address 192.168.2.1 255.255.255.0

router ospf 1
 mpls ldp sync (this ensures that MPLS waits for the IGP to be fully synchronized before issuing labels - not required for the configuration)
 mpls ldp autoconfig area 0 (this enables MPLS on all interfaces that are in area 0)
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

R2

interface Serial1/0

 ip address 192.168.0.2 255.255.255.0

interface Serial1/1

 ip address 192.168.2.2 255.255.255.

router ospf 1
 mpls ldp sync
 mpls ldp autoconfig
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

Quick Notes - IPV6 DHCP Example

Server
ipv6 dhcp pool IPV6-2001
 prefix-delegation pool IPV6-2001
 dns-server 2001:2001::100

ipv6 dhcp pool IPV6-2002
 prefix-delegation pool IPV6-2002
 dns-server 2001:2001::100

ipv6 local pool IPV6-2001 2001:2001::/64 64
ipv6 local pool IPV6-2002 2002:2002::/64 64

interface Serial1/0
 ipv6 address 2001:2001::1/64
 ipv6 enable
 ipv6 dhcp server IPV6-2001
 serial restart-delay 0

interface Serial1/1
 ipv6 address 2002:2002::1/64
 ipv6 enable
 ipv6 dhcp server IPV6-2002
 serial restart-delay 0

Client
interface Serial1/0
 description CONN-IPV6-DHCP-PROVIDER
 ipv6 address FE80::2 link-local
 ipv6 address IPV6-2001 ::2/64
 ipv6 enable
 ipv6 dhcp client pd IPV6-2001
 serial restart-delay 0


interface Serial1/1
 description CONN-IPV6-CLIENTS
 ipv6 address FE80::2 link-local
 ipv6 dhcp client pd IPV6-2002
 ipv6 address IPV6-2002 ::2/64
 ipv6 enable
 serial restart-delay 0

Quick Notes - PPP no peer neighbor-route

Peer neighbor routes are required when the PPP neighbors IP address is on a different subnet. This will create a host connected route in the routing table. When both peers IP address are on the same subnet then use "no peer neighbor-route". A couple of scenarios where you may have peer neighbors in different subnets include:
-Virtual-template interfaces
-IP unnumbered interfaces
-Multilink interfaces
-IPCP negotiated address

"peer neighbor-route" is enabled by default.

Quick Notes - Multicast IPv4 Addressing

Class D - 224.0.0.0 - 239.255.255.255

Special Purpose Ranges

224.0.0.0 - 224.0.0.255 (Reserved link-local)
224.0.2.0 - 238.255.255.255 (Globally Scoped Addresses)
232.0.0.0 - 232.255.255.255 (Source-specific Multicast Addresses)
233.0.0.0 - 233.255.255.255 (GLOP Addresses)
239.0.0.0 - 239.255.255.255 (Administratively Scoped Addresses)

Reserved Link Local
-OSPF 224.0.0.5 and 224.0.0.6
-RIPv2 224.0.0.9
-EIGRP 224.0.0.10
-All multicast hosts 224.0.0.1
-All multicast routers 224.0.0.2

Globally Scoped
-General purpose applications and extends beyond the local AS

Source-Specific Multicast (SSM)
-Used with IGMPv3, allows a host to specify the source of the multicast traffic

GLOP
-Globally unique multicast based on AS numbers

Limited Scope
-Like RFC 1918, this does not leave the AS and is considered a private address range

Quick Notes - QoS - Serialization Delay MLPPP

Mutlilink  PPP fragments traffic by default and this can be leveraged by QOS. To reduce serialization delay perform the following:

Create multilink interface

interface multilink 1
 ip address 1.1.1.1 255.255.255.0
 ppp multilink (this enables fragmentation on the multilink interface)
 ppp multilink interleave (this enables interleaving)
 ppp fragment-delay [delay] (specifies how long the fragment will take to leave the interface in milliseconds)

Assign the virtual template to the physical interface

interface serial 0/0/0
 encapsualtion ppp
 multilink-group 1

R1
__
interface Multilink1
 ip address 1.1.1.1 255.255.255.0
 ppp multilink
 ppp multilink fragment delay 10
 ppp multilink interleave
 ppp multilink group 1
end

interface Serial1/0
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
end

R2
__
interface Multilink1
 ip address 1.1.1.2 255.255.255.0
 ppp multilink
 ppp multilink fragment delay 10
 ppp multilink interleave
 ppp multilink group 1
end

interface Serial1/2
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
end

R2(config-if)#do show ppp multilink

Multilink1, bundle name is R1
  Endpoint discriminator is R1
  Bundle up for 00:01:40, total bandwidth 1544, load 1/255
  Receive buffer limit 12000 bytes, frag timeout 1000 ms
  Interleaving disabled
    0/0 fragments/bytes in reassembly list
    0 lost fragments, 0 reordered
    0/0 discarded fragments/bytes, 0 lost received
    0x7 received sequence, 0x7 sent sequence
  Member links: 1 active, 1 inactive (max not set, min not set)
    Se1/0, since 00:01:41, 1930 weight, 1496 frag size
    Vt1 (inactive)
No inactive multilink interfaces

Disabled!! but....... well you have to use a policy map and set the bandwidth.

class-map match-all CMAP
 match any
policy-map PMAP
 class CMAP
  bandwidth 512
interface Multilink1
 service-policy output PMAP

R2(config)#do sh ppp multilink

Multilink1, bundle name is R1
  Endpoint discriminator is R1
  Bundle up for 00:22:25, total bandwidth 1544, load 1/255
  Receive buffer limit 12000 bytes, frag timeout 1000 ms
  Interleaving enabled
    0/0 fragments/bytes in reassembly list
    0 lost fragments, 0 reordered
    0/0 discarded fragments/bytes, 0 lost received
    0x1C received sequence, 0x1C sent sequence
  Member links: 1 active, 1 inactive (max not set, min not set)
    Se1/0, since 00:17:28, 1930 weight, 1496 frag size
    Vt1 (inactive)
No inactive multilink interfaces

Thats better!

Quick Notes - QOS CB-Shaping

Quick Notes - QoS - Class Based-Shaping

Shape-average - Traffic is sent at the CIR with bursting of Be bits per timing interval.

Shape-peak - Traffic is sent at peak rate. Peak rate - CIR*(1+Be/Bc) - this can result in packet loss.

Example shape-average:

R1(config)#class-map CMAP-FTP
R1(config-cmap)#match protocol ftp
R1(config-cmap)#exit
R1(config)#policy-map PMAP-FTP
R1(config-pmap)#class CMAP-FTP
R1(config-pmap-c)#shape average 512000
R1(config-pmap-c)#bandwidth 256
R1(config-pmap-c)#exit
R1(config-pmap)#exit
R1(config)#interface serial 0/0/0
R1(config)#service-policy output PMAP-FTP

This allows the minimum of 256kbps sent with a maximum of 512kbps

Quick Notes - BGP Best Route Selection

BGP Best Route Selection

Once a match is found then the selection process is over

1 - Exclude any route with inaccessible next hop
2 - Prefer highest weight (weight is locally significant)
3 - Prefer highest local preference (globally used in AS)
4 - Prefer routers that were originated by the router
5 - Prefer Shortest AS Path
6 - Prefer lowest origin (IGP, EGP, Incomplete)
7 - Prefer lowest MED (MultiExit Discriminator)
8 - Prefer external paths over internal paths (iBGP)
9 - iBGP path - prefer path through with closest IGP
10 - eBGP path - oldest path
11 - Prefer path with lowest BGP router-id

Quick Notes - OSPF Authentication

OSPF Authentication

-Null, Type 0
-Clear Text, Type 1
-MD5, Type 2
keyid - is used as part of the equation to come up with the MD5 hash, Keyid must be the same on both sides

Note: Ensure that you authenticate virtual links when enabling authentication in area 0

Clear Text

-Under router ospf, "area # authentication"
-Under the interface, "ip ospf authentication-key [password]"

show ip ospf 1 interface
Serial1/2 is up, line protocol is up
  Internet Address 192.168.0.11/24, Area 0
  Process ID 1, Router ID 192.168.0.11, Network Type POINT_TO_POINT, Cost: 64
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:00
  Supports Link-local Signaling (LLS)
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 192.168.0.14
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled


MD5

-Under router ospf, "area 0 authentication message-digest"
-Under the interface, "ip ospf message-digest-key 1 md5 [password]"


do show ip ospf interface
Serial1/2 is up, line protocol is up
  Internet Address 192.168.0.11/24, Area 0
  Process ID 1, Router ID 192.168.0.11, Network Type POINT_TO_POINT, Cost: 64
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 192.168.0.14
  Suppress hello for 0 neighbor(s)
 Message digest authentication enabled
    Youngest key id is 1

Quick Notes - OSPF LSA Types

LSA Types

Type 1 - Router
Type 2 - Network
Type 3 - Network Summary
Type 4 - ASBR Summary
Type 5 - AS External
Type 7 - NSSA External

Router LSA Type 1 - Includes a list of all routers links and their states. Flooded in the area they are originated in

Network LSA Type 2 - DR produces these LSA on every multi-access network.Includes all routers including the DR. Flooded in the area they are originated in.

Network Summary LSA Type 3 - Generated by ABR and advertises destinations outside of the area. Flooded throughout the AS

ASBR Summary LSA Type 4 - Generated by the ABR, provides a gateway to type 5 LSA. Flooded throughout the AS

AS External LSA Type 5 - Generated bt ASBR, advertises external destinations or a default route to a external destination. Flooded throughout the AS

NSSA External LSA Type 7 - Generated by ASBR in a not-so-stubby area

Quick Notes - NAT (Inside/Outside Local/Global)

If you struggle with what is what in regards to Inside/Outside Local/Global then the following may help.

View it from the following perspectives:
Location of the Packet - LOCAL/GLOBAL
Location of the Device - INSIDE/OUTSIDE

Packet Inside
192.168.0.100 - INSIDE LOCAL
200.200.200.100 - OUTSIDE LOCAL

Packet Outside
200.200.200.1 - INSIDE GLOBAL (this address represents 192.168.0.100)
200.200.200.100 - OUTSIDE GLOBAL

Quick Notes - Layer2 MISC

Layer2 MISC

Loop Guard - Prevents alternate port and root ports from becoming designated ports. IF BPDUs are not received on a NON-DP port then the port is moved into err-disabled state
Global config - "spanning-tree loopguard default"

UDLD - Unidirectional Link Detection
- Both sides need to be configured
- default setting is disabled on copper ports and enabled on fibre ports
Enable on copper ports, interface config - udld enable

Root Guard
- the port that has root guard enabled ensures that if a superior BPDU is received the port is put into "root inconsistent state"
Interface config - "spanning-tree guard root"

BPDU Guard
- Ensures that loops are not formed on ports that are enabled to use portfast, if BPDU is recieved the port is put into error disabled state. Two ways to enable BPDU Guard
Global config - "spanning-tree portfast bpduguard" - All ports that have portfast enabled will also have BPDU guard enabled
Interface config - spanning-tree bpduguard enable"

BPDU Filter
- When enabled globally and a BPDU is received on a port the is enabled with portfast the port loses it portfast status
Global config - "spanning-tree portfast bpdufilter default
-when enabled on the interface the port stops sending and recieveing BPDU. This is dangerous as a loop can form
Interface config - "spanning-tree bpdufilter enable

Quick Notes - RSTP

RSTP 802.1w

States
- Discarding, Learning, and forwarding state

Alternative Port
- backup port to the designated port for fast convergence

Backup Port
- backup port to the root port for fast convergence

BPDUs
- sent every 2 seconds and acts as a keepalive, 3 missed hellos and the portocol information is aged

Implmenting RSTP
- MST automatically enables RSTP - spanning-tree mode mst"
- PVST+ - "spanning-tree mode rapid-pvst"

Quick Notes - STP

STP 802.1D

Portfast
- Ports coming up are put into forwarding states
- TCN are not generated when a port comes up or down

Uplinkfast
- detects a directly connected failure and enables a new root port immediately
- increases the root priority to ensure that the switch will not become the root
- sets the port cost to 3000
- tracks alternate root ports

Backbonefast
- speeds convergence when a failure occurs and is indeireclty located. Reduces convergence from 50 seconds to approx 30 seconds.
- all switches need to bne configured with backbonefast